Attleboro anti-abortion center stole patient data from nearby clinic, lawsuit alleges

A health care worker uses an ultrasound machine to scan a patient's abdomen. — FILE - A doctor performs an ultrasound scan on a pregnant woman at a hospital in Chicago in 2018.

Hannah Reale is an associate digital editor with GBH News. Feedback? Questions? Story ideas? Reach out to Hannah at hannah_reale@wgbh.org.

September 06, 2024

A woman in Attleboro takes an at-home test and finds out she’s pregnant. She looks up nearby reproductive health clinics and finds one: Four Women Health Services, which has also been providing abortions for decades. She sends a request through an online chat on Four Women’s website to set up an ultrasound appointment.

Less than half an hour later, she receives a call to schedule an appointment and books one.

But the person who just called her doesn’t work for Four Women. They called to book her an appointment at the center across the street: Attleboro Women’s Health Center, or Abundant Hope.

That’s what allegedly happened last October. Four Women is now suing in federal court, alleging that at least four potential patients apparently had their messages intercepted by Attleboro Women’s Health Center — an entity that is not a licensed health care facility and does not provide abortions.

“AWHC’s outreach to Four Women’s patients appears to be the result of their unlawful infiltration of Four Women’s electronic platforms,” said Matthew Patton, an attorney representing Four Women. “The patients they are intercepting are seeking a range of reproductive health care services, from birth control to abortions to ultrasounds.”

“AWHC is meddling and causing irreparable harm in personal decision-making in a health care market where time is of the essence to get safe and effective health care, advice and treatment for every patient,” he added.

Anti-abortion centers have been a point of frustration for reproductive health advocates in Massachusetts. The Healey administration launched a public awareness campaign this summer that aims to inform residents about the “dangers” of such centers. According to the governor’s office, they “purport” to offer reproductive health care services but actually attempt to dissuade people from seeking abortions. The Healey administration says such centers outnumber comprehensive reproductive health clinics by more than two to one in Massachusetts.

Reproductive health and privacy advocates responded with alarm to the allegations Thursday.

“These allegations, if true, are deeply concerning,” Kade Crockford, who directs the ACLU of Massachusetts’ Technology for Liberty Program, said in a statement to GBH News. “Privacy is mission critical to reproductive freedom. “People seeking reproductive health care should not have to worry about whether their sensitive communications are being intercepted, who is buying or selling their location information, or how their digital footprint could be used by police, prosecutors, or bounty hunters.”

Daly Barnett, a staff technologist with the digital civil liberties group Electronic Frontier Foundation who focuses on reproductive justice issues, reviewed the filings at GBH News’ request. She said she was “surprised” at how clear it seemed that the center had intercepted communications between Four Women and prospective patients.

“It’s usually not so obvious that there’s something really fishy happening,” Barnett said. “But there are a lot of unanswered questions about, like, exactly what’s going on.”

Barnett says she frequently speaks with doctors who were “not prepared” to become data security experts after the Supreme Court overturned Roe v. Wade two summers ago.

“These smaller clinics and these providers have to basically become their own IT experts to reevaluate their operational security,” she said. “It’s not fair. It’s absurd.”

She recalled a recent example of an anti-abortion ad campaign that targeted people who had visited any of hundreds of Planned Parenthood facilities with location data.

“It’s a tragedy that we have to then think about the technologies — which are also opaque, which are also difficult to understand, and seemingly insurmountable in their sophistication of surveillance and the way that they’re networked together against us,” Barnett said.

It is unclear exactly how Four Women’s patient communications were allegedly compromised. A digital security analyst contracted by Four Women, Robert Knapp with Rapid7 in Texas, said in court filings that the “most likely points” through which the center allegedly accessed patient data are Klara and AthenaHealth, two third-party vendors that Four Women uses to communicate with patients and manage their data. Neither company responded to GBH News’ requests for comment.

Attleboro Women’s Health Center director Darlene Howard declined to comment for this story.

It’s rare for a technology to be completely compromised, Barnett said. What’s more common — and the simplest explanation — is what she called “insider threat,” or an employee intentionally leaking data.

“I would love to hear from the app developers ... I want to hear from tech people exactly what is happening,” Barnett said. “It’s actually quite rare that an app itself is so heavily compromised — like, technically speaking, that there’s some vulnerability that is being burned by some hackers.”

Attorneys for Four Women argue that the center violated federal wiretapping provisions and state consumer protection laws. Four Women is seeking an injunction to halt Attleboro Women’s Health Center from accessing its communications with patients and at least $20,000 in damages, as well as asking the court to stop the center from providing ultrasounds altogether.

A spokesperson for Massachusetts Attorney General Andrea Campbell’s office said it is reviewing the complaint and directed anyone who needs support accessing abortion care to its Abortion Legal Hotline. Attleboro’s police department did not respond to questions about whether the alleged conduct had been reported to local law enforcement.